Implementing a professional QoS configuration on MikroTik RouterOS v7

-

Complete Guide to MikroTik QoS Configuration for RouterOS 7: Dual ISP Load Balancing & Advanced Traffic Shaping

Published: March 20, 2026













Are you struggling with network congestion? Do you want to prioritize critical traffic on your MikroTik router? In this comprehensive guide, I'll walk you through implementing a professional-grade Quality of Service (QoS) configuration on MikroTik RouterOS 7 with dual ISP load balancing.

What is QoS and Why Do You Need It?













Quality of Service (QoS) is a networking technology that allows you to manage bandwidth allocation and prioritize traffic based on your business needs. Without QoS, all traffic is treated equally, which can cause:

  • Slow internet during peak hours
  • Lag in online gaming and video conferencing
  • VoIP call quality issues
  • Unfair bandwidth distribution among users

With proper QoS implementation, you can ensure that critical applications (like VoIP and video calls) always have sufficient bandwidth while non-critical traffic is deprioritized.

Understanding the Repository Structure

The MikroTik-QOS-ROS-7 repository on GitHub contains two main configuration scripts:

1. qos-dualisp.rsc - Dual ISP Configuration

This is the primary configuration script designed for environments with two internet service providers. It includes:

  • Load balancing across two ISPs
  • Automatic failover if one ISP goes down
  • Advanced queuing with CAKE, PCQ, and FQ-CODEL
  • Comprehensive firewall protection

2. updated-qos-singleisp - Single ISP Configuration

For organizations with a single internet connection, this script provides QoS without the dual ISP complexity.

Key Features of This Configuration

🎯 Advanced Queue Types

PCQ (Per-Connection Queuing)
Ensures fair bandwidth distribution by limiting each user/connection individually. Perfect for preventing any single user from hogging all bandwidth.

CAKE (Common Applications Kept Enhanced)
A modern queue discipline that's excellent for WAN optimization. It reduces latency and improves throughput, making it ideal for dual ISP scenarios.

FQ-CODEL (Fair Queuing Controlled Delay)
Prevents buffer bloat and reduces latency by dropping packets before buffers overflow. Great for real-time applications like VoIP.

SFQ (Stochastic Fairness Queuing)
Provides fairness among flows with lower computational overhead.

📊 Intelligent Traffic Classification

The configuration uses DSCP (Differentiated Services Code Point) marking to classify traffic:

  • VoIP/RTP (DSCP 46) - Highest priority for voice calls
  • Video Calls (DSCP 34) - High priority for video conferencing
  • Gaming/Interactive (DSCP 26) - Medium-high priority
  • DNS (DSCP 40) - Fast DNS resolution
  • General Traffic (DSCP 32) - Standard web browsing

🌐 Dual ISP Load Balancing

One of the most powerful features is the PCC (Per Connection Classifier) based load balancing:

  • Distributes traffic across two ISPs based on connection hash
  • Both ISPs are active simultaneously
  • Automatic failover if primary ISP fails
  • Separate routing tables for each ISP (to-isp1, to-isp2)

🔐 Enterprise-Grade Security













RFC Bogon Filtering
Blocks packets from reserved IP addresses that should never appear on the internet.

DDoS Protection
Blocks DNS queries on WAN interfaces to prevent DNS amplification attacks.

Virus/Malware Port Blocking
Pre-configured blocking for known malware ports including Conficker, MyDoom, SubSeven, and others.

SMURF Attack Detection
Automatically detects and blocks SMURF attacks targeting broadcast addresses.

Advanced ICMP Protection
Allows legitimate ICMP messages while blocking suspicious ones.

Network Architecture Overview

Here's how the network is typically organized:

┌─────────────────────────────────────┐
│  WAN (ISP1 & ISP2)                  │
│  ether1 & ether2                    │
└────────────┬────────────────────────┘
             │
        ┌────▼─────┐
        │ MikroTik  │
        │ Router    │
        └────┬─────┘
             │
    ┌────────┼────────┐
    │        │        │
┌───▼──┐ ┌──▼───┐ ┌──▼───┐
│Local │ │Local │ │Hotspot│
│Net 1 │ │Net 2 │ │Pool   │
└──────┘ └──────┘ └───────┘

IP Address Scheme

  • ISP Connections: 192.168.1.0/24 (ether1, ether2)
  • Local Network 1: 10.0.50.0/24 (ether3)
  • Local Network 2: 192.168.50.0/28 (ether4)
  • Management Network: 192.168.0.0/24
  • Hotspot Pool: 172.17.0.0/24

Step-by-Step Installation Guide

Prerequisites

  • MikroTik RouterOS 7.x installed
  • SSH or Console access to the router
  • Backup of your current configuration
  • Knowledge of your ISP details (gateway IPs, DNS servers)

Installation Steps

Step 1: Download the Configuration

Clone or download the repository from GitHub:

git clone https://github.com/enricagra/MikroTik-QOS-ROS-7.git

Step 2: Connect to Your Router

Via SSH:

ssh admin@192.168.88.1

Or use WinBox to connect to the router's IP address.

Step 3: Backup Your Configuration

Before making any changes:

/system backup make name=before-qos

Step 4: Upload the Script

Transfer the qos-dualisp.rsc file to your router and import it:

/import file-name=qos-dualisp.rsc

Step 5: Customize the Configuration

Edit the following parameters to match your network:

Change ISP Gateways:

/ip route
set [ find dst-address=192.168.1.1 ] gateway=YOUR-ISP1-GATEWAY
set [ find dst-address=192.168.1.2 ] gateway=YOUR-ISP2-GATEWAY

Update DNS Servers:

/ip dns
set servers=YOUR-DNS1,YOUR-DNS2

Change Router Identity:

/system identity
set name=YOUR-ROUTER-NAME

Step 6: Reboot and Verify

/system reboot

After reboot, verify the configuration:

/queue simple print
/ip firewall filter print
/ip route print

Customization Guide

Adjusting Bandwidth Limits

Modify the queue rates based on your ISP speeds:

/queue simple
# Set max-limit to your desired bandwidth
set [ find name="speed stabilizer" ] max-limit=YOUR-SPEED-LIMIT

Adding More User Networks

To add a new subnet:

/ip address
add address=YOUR-NEW-SUBNET interface=YOUR-INTERFACE

/ip dhcp-server
add name=new-dhcp interface=YOUR-INTERFACE address-pool=new-pool

Modifying Firewall Rules

Add custom firewall rules after the existing ones:

/ip firewall filter
add action=accept chain=forward protocol=tcp dst-port=YOUR-PORT comment="Your custom rule"

Monitoring Your QoS Configuration

Real-Time Traffic Monitoring

Use WinBox or terminal to monitor:

# View active connections
/ip firewall connection print

# Monitor queue statistics
/queue simple print stats

# Check interface statistics
/interface print stats

SNMP Monitoring

The configuration includes SNMP support. Configure your monitoring tool to:

  • Target: 192.168.50.11 (or your monitoring server)
  • Community: snmp-home
  • Version: 2

Traffic Analysis with Packet Sniffer

The configuration includes a packet sniffer on ether1 and ether2, streaming to 192.168.50.7:

/tool sniffer
set filter-interface=ether1,ether2 streaming-server=192.168.50.7

Security Best Practices

🔒 Essential Security Steps

  1. Change Default Credentials - Never use default admin/admin
  2. Update SSH Access - Restrict SSH to trusted IP ranges
  3. Enable Firewall - Don't disable firewall rules
  4. Update Bogon Lists - If using reserved IPs, customize the lists
  5. Monitor Port Scanning - Review port scanner detection logs
  6. Regular Backups - Backup configuration weekly

SSH Access Restriction

/ip service
set ssh address=192.168.50.0/28,10.0.50.0/24

User Groups for Access Control

The configuration creates three user groups:

  • hotspot - Web and SSH access
  • api - API access for automation
  • api1 - Full administrative access

Troubleshooting Common Issues

Issue 1: No Internet After Applying Configuration

Solution:

  • Verify ISP gateway addresses are correct
  • Check firewall filter rules aren't blocking outbound traffic
  • Restore from backup if needed

Issue 2: One ISP Not Balancing Traffic

Solution:

  • Check routing tables: /ip route print
  • Verify PCC rules are applied
  • Test connectivity to each ISP separately

Issue 3: High Latency on WAN

Solution:

  • Reduce queue limits to prevent buffer bloat
  • Verify CAKE queue is enabled
  • Check for packet loss on ISP links

Issue 4: Users Complaining About Slow Speed

Solution:

  • Check queue rates match ISP speeds
  • Verify DSCP marking is working correctly
  • Monitor for congestion during peak hours

Advanced Tips & Tricks

1. Dynamic IP Failover

The configuration supports automatic failover with gateway checking:

add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0

If the primary gateway doesn't respond to ping, traffic automatically switches to the secondary gateway.

2. Per-User Bandwidth Limits

Use hotspot user profiles to set individual user bandwidth limits:

/ip hotspot user
add name=user1 profile=default-profile password=password limit-bytes-in=1000000000

3. Time-Based Traffic Rules

Create rules that apply only during specific times:

/ip firewall filter
add chain=forward time=09:00-17:00 action=drop comment="Block during work hours"

4. Automated Configuration Backup

Schedule automatic backups:

/system scheduler
add name=daily-backup interval=1d on-event="/system backup make"

Performance Benchmarks

When properly configured, you can expect:

  • Latency Reduction: 20-40% improvement with CAKE queue
  • Throughput: Near-line-rate performance on dual ISPs
  • Jitter: Minimal jitter for VoIP with proper DSCP marking
  • CPU Usage: 15-25% on modern MikroTik hardware

Conclusion

Implementing a professional QoS configuration on MikroTik RouterOS can dramatically improve your network performance. The configuration provided in this repository offers:

  • ✅ Enterprise-grade QoS with multiple queue types
  • ✅ Dual ISP load balancing with automatic failover
  • ✅ Comprehensive security with DDoS and malware protection
  • ✅ Advanced traffic classification with DSCP marking
  • ✅ Easy to customize for your specific needs

Whether you're running a small business network, an ISP, or a large campus, this configuration provides the foundation for a robust and efficient network.

Additional Resources

About the Author

Repository Creator: enricagra

This comprehensive QoS configuration was created and tested for production environments. Feel free to fork the repository, contribute improvements, or report issues on GitHub.

Disclaimer: This configuration is provided for educational and operational purposes. Always test in a non-production environment first, backup your existing configuration, and understand each section before applying. MikroTik configurations can significantly impact network performance and security.

Last Updated: March 20, 2026

Comments

Post a Comment

Popular posts from this blog

Suricata on Mikrotik(IDS+IPS) = Part 4 - Configuration of the IPS Part

-
Image
  Configuration Disclaimer:  this one again is only for  ubuntu 18.04  and login as  root  user to be sure Make sure you have a good understanding of the suricata rules before doing this This might cause some disconnection from the site or services you are visiting and even the internet if not properly configured. In the real environment it is best not to run as root user but for the sake of just testing it I opted to run as root configure the following rules on your mikrotik router: /ip firewall filter add action=drop chain=input comment="Block bad actors" src-address-list=Blocked /ip firewall filter add action=drop chain=forward comment="Drop any traffic going to bad actors" dst-address-list=Blocked create a user group with all policies checked except telnet create a user allowing your local addresses with the group you created earlier Lets Start ... 1.      Install PHP         apt install php -y 2.   Navigate...
Read more

Why upload comes first before download

-
Image
Before we dive into why upload comes first, let’s quickly define upload and download in data communication. Upload refers to sending data from your device to a remote server or another device. This happens when you send an email, upload a file to the cloud, or even just request a webpage. Download is the process of receiving data from a remote source to your device. This includes streaming videos, loading webpages, or saving files from the internet. Think of it like a conversation: when you ask someone a question (upload), they respond with an answer (download). The same applies to internet communication—before you can receive data, you must first send a request. Why Upload Comes First in Data Communication Now that we understand uploads and downloads, let’s put it in simple human terms. Imagine you’re having a conversation with a friend: You ask a question (Upload): Before your friend can give you an answer, you first need to say something—whether it’s a question, a request, or a ...
Read more

DHCP for Dummies: How Your Devices Get Online Without You Lifting a Finger

-
Image
DHCP for Dummies: How Your Devices Get Online Without You Lifting a Finger Introduction Ever wondered how your phone, laptop, or smart TV connects to the internet without you having to do anything? One minute you’re tapping "Connect to Wi-Fi," and the next, boom—you’re online. That magic? It’s all thanks to DHCP. DHCP (Dynamic Host Configuration Protocol) is what hands out IP addresses to your devices, kind of like a hotel receptionist giving guests room keys. It’s automatic, invisible, and keeps everything running smoothly—until something breaks. In this guide, you’ll learn: ✔️ What DHCP is (in plain English). ✔️ How it works behind the scenes. ✔️ Why it’s better than manually assigning IP addresses. ✔️ How to fix common DHCP problems without calling IT. By the end, you’ll have a solid grip on DHCP—even if tech stuff usually makes your head hurt. Let’s go! --- What is DHCP? (The No-Nonsense Explanation) Okay, imagine you walk into a hotel. You don’t pick a room or set up a k...
Read more